Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

pam.conf(5) [osx man page]

PAM.CONF(5)						      BSD File Formats Manual						       PAM.CONF(5)

NAME

     pam.conf -- PAM policy file format

DESCRIPTION

     The PAM library searches for policies in the following files, in decreasing order of preference:

     1.   /etc/pam.d/service-name

     2.   /etc/pam.conf

     3.   /usr/local/etc/pam.d/service-name

     4.   /usr/local/etc/pam.conf

     If none of these locations contains a policy for the given service, the default policy is used instead, if it exists.

     Entries in per-service policy files must be of one of the two forms below:

	   function-class control-flag module-path [arguments ...]
	   function-class include other-service-name

     Entries in pam.conf-style policy files are of the same form, but are prefixed by an additional field specifying the name of the service they
     apply to.

     In both types of policy files, blank lines are ignored, as is anything to the right of a '#' sign.

     The function-class field specifies the class of functions the entry applies to, and is one of:

     auth      Authentication functions (pam_authenticate(3), pam_setcred(3))

     account   Account management functions (pam_acct_mgmt(3))

     session   Session handling functions (pam_open_session(3), pam_close_session(3))

     password  Password management functions (pam_chauthtok(3))

     The control-flag field determines how the result returned by the module affects the flow of control through (and the final result of) the
     rest of the chain, and is one of:

     required	 If this module succeeds, the result of the chain will be success unless a later module fails.	If it fails, the rest of the chain
		 still runs, but the final result will be failure regardless of the success of later modules.

     requisite	 If this module succeeds, the result of the chain will be success unless a later module fails.	If it module fails, the chain is
		 broken and the result is failure.

     sufficient  If this module succeeds, the chain is broken and the result is success.  If it fails, the rest of the chain still runs, but the
		 final result will be failure unless a later module succeeds.

     binding	 If this module succeeds, the chain is broken and the result is success.  If it fails, the rest of the chain still runs, but the
		 final result will be failure regardless of the success of later modules.

     optional	 If this module succeeds, the result of the chain will be success unless a later module fails.	If this module fails, the result
		 of the chain will be failure unless a later module succeeds.

     There are two exceptions to the above: sufficient and binding modules are treated as optional by pam_setcred(3), and in the PAM_PRELIM_CHECK
     phase of pam_chauthtok(3).

     The module-path field specifies the name, or optionally the full path, of the module to call.

     The remaining fields are passed as arguments to the module if and when it is invoked.

     The include form of entry causes entries from a different chain (specified by other-system-name) to be included in the current one.  This
     allows one to define system-wide policies which are then included into service-specific policies.	The system-wide policy can then be modi-
     fied without having to also modify each and every service-specific policy.

SEE ALSO

     pam(3)

STANDARDS

     X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules, June 1997.

AUTHORS

     The OpenPAM library was developed for the FreeBSD Project by ThinkSec AS and Network Associates Laboratories, the Security Research Division
     of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.

     This manual page was written by Dag-Erling Smorgrav <des@FreeBSD.org>.

BSD
								   June 16, 2005							       BSD

Check Out this Related Man Page

PAM_SM_CHAUTHTOK(3)					   BSD Library Functions Manual 				       PAM_SM_CHAUTHTOK(3)

NAME

     pam_sm_chauthtok -- service module implementation for pam_chauthtok

LIBRARY

     Pluggable Authentication Module Library (libpam, -lpam)

SYNOPSIS

     #include <sys/types.h>
     #include <security/pam_appl.h>
     #include <security/pam_modules.h>

     int
     pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv);

DESCRIPTION

     The pam_sm_chauthtok function is the service module's implementation of the pam_chauthtok(3) API function.

     When the application calls pam_chauthtok(3), the service function is called twice, first with the PAM_PRELIM_CHECK flag set and then again
     with the PAM_UPDATE_AUTHTOK flag set.

RETURN VALUES

     The pam_sm_chauthtok function returns one of the following values:

     [PAM_ABORT]	 General failure.

     [PAM_AUTHTOK_DISABLE_AGING]
			 Authentication token aging disabled.

     [PAM_AUTHTOK_ERR]	 Authentication token failure.

     [PAM_AUTHTOK_LOCK_BUSY]
			 Authentication token lock busy.

     [PAM_AUTHTOK_RECOVERY_ERR]
			 Failed to recover old authentication token.

     [PAM_BUF_ERR]	 Memory buffer error.

     [PAM_CONV_ERR]	 Conversation failure.

     [PAM_IGNORE]	 Ignore this module.

     [PAM_PERM_DENIED]	 Permission denied.

     [PAM_SERVICE_ERR]	 Error in service module.

     [PAM_SYSTEM_ERR]	 System error.

     [PAM_TRY_AGAIN]	 Try again.

SEE ALSO

     pam(3), pam_chauthtok(3), pam_strerror(3)

STANDARDS

     X/Open Single Sign-On Service (XSSO) - Pluggable Authentication Modules, June 1997.

AUTHORS

     The pam_sm_chauthtok function and this manual page were developed for the FreeBSD Project by ThinkSec AS and Network Associates Laboratories,
     the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA
     CHATS research program.

BSD
								 December 18, 2011							       BSD
Man Page